View All Blog Posts

Is YouTube Advertising HIPAA-Compliant?

As a healthcare marketing agency, we get a lot of questions about whether or not certain tools are HIPAA-compliant. That’s why we at Hedy & Hopp decided to create a blog series that specifically dives into common marketing tools and software in order to determine whether or not it poses a HIPAA concern.


This week, we’re taking a closer look at YouTube – both the advertising side and embedding videos on a website.

What Is YouTube Advertising?

YouTube is a powerful tool that can be used for marketing in a variety of ways. It has over 2 billion active users, making it a great way to reach a large audience with your messages. You can target your YouTube ads to specific demographics, interests, and behaviors, ensuring that your messages reach the right people.

YouTube is a visual platform, so it’s a great way to create engaging content that will capture people’s attention. By creating high-quality, informative videos, you can build trust and credibility with potential patients. You can also use YouTube to drive traffic to your website by embedding your videos on your website or by linking to your website in your video descriptions.

Here are some specific ways that healthcare businesses can use YouTube for marketing:

  • Create educational videos to educate potential patients about your services or about health topics in general.
  • Share patient testimonials to show potential patients that your services are effective and that they can trust you.
  • Host Q&As to connect with potential patients and answer their questions about your services or where to find support.
  • Promote your YouTube channel on other channels to encourage new audiences to subscribe.

This type of advertising, outbound marketing, is often used in conjunction with search ads, a form of inbound marketing from Bing or Google, which we have gone over the compliance of in previous posts. 


Pro Tip:

YouTube does have specific guidelines around advertising in healthcare. Most notably, companies promoting pharmaceuticals & addiction services must be verified through LegitScript in order to advertise on YouTube’s platform.

What Data Does YouTube Advertising Collect?

Similar to Google Ads, YouTube relies heavily on the user being signed into their Google Account (which automatically becomes their YouTube account) in order to track behavior across a wide range of touchpoints. This means that YouTube collects the following data on its users:

  • Device information: This includes your device’s IP address, operating system, and browser type.
  • Search history: This includes the keywords you’ve searched for and the websites you’ve visited.
  • Ad interactions: This includes whether you’ve clicked on an ad, how long you’ve viewed an ad, and whether you’ve taken any other action after seeing an ad.
  • Location data: This includes your approximate location based on your IP address.
  • Session data: This includes your web browsing history.


Additionally, even just embedding a YouTube video on a website could be cause for concern, as the iframe sends information back to DoubleClick, the base advertising platform that Google uses. This means that users watching a YouTube video embedded on a third party site could have that video’s contents tied to their Google profile, which could potentially reveal sensitive health information about that user.

Is YouTube Advertising HIPAA-Compliant?

After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, YouTube advertising is certainly one that your team should think critically about, especially when you consider the long list of Google’s subprocessors, who could potentially have access to any and all data collected. This is especially true if you’re adding a Google tracking pixel to your website. 

Furthermore, there are also some tactics available in YouTube Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your YouTube data, including optimization and data visualization software.

Risk Mitigation

As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.


Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Not sure how to get started?

Hedy & Hopp has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. Give us a call – we’d love to help!



About the Author

The Hedy & Hopp digital production team is the glue that keeps all activation work running. From auditing websites and tagging, to content strategy and CRM implementation, our digital production unicorns ensure the tiniest detail is reviewed and accurate before it gets to our clients. Their determination in finding solutions for any challenge makes this team marketing happy.

More from this author
Next Blog Post

Is Meta HIPAA-Compliant?